Ah ha! THanks!
On 10/22/06, George Toft <
george@georgetoft.com> wrote:
>
> In a word - no.
>
> Let's assume you are sending a packet with some text via some
> application. It gets encrypted, and header/trailer info is added. It
> might even get fragmented based on MTU size. At the other end, the
> packets get reassembled, unencrypted, and presented to the application.
> Since the payload (or data) is encrypted at a higher layer, that
> payload remains encrypted in the lower layers.
>
> The reverse is true as well on the other end - once the packets are
> reassembled and decrypted, the payload can be read normally. This is
> why the VPN endpoint needs to be controlled - once the data is out of
> the tunnel, it's fair game to sniff and record.
>
> George Toft, CISSP, MSIS
> 623-203-1760
>
>
>
>
> jordi laforge wrote:
> > Thanks for the information. While I am new to VPNs I do understand the
> > concept of how they work. That said I do appreciate all the good info
> > you gave and will read those links.
> >
> > In order to save an email I'd like to include a question I had from one
> > of Eric's emails.
> > Since SSL vpns work at a higher OSI layer does that mean that the stuff
> > at the lower layers is not encrypted? Like mac address and ip address.
> > THanks all for answering my questions. You are most helpfull.
> >
> >
> > On 10/21/06, *Kurt Granroth* <plug-discuss@granroth.org
> > <mailto:plug-discuss@granroth.org>> wrote:
> >
> > jordi laforge wrote:
> > > I'm trying to provide a roadwarrior situation. Here is what I'm
> > looking at:
> > > Small 8-12 user lan.
> > > 4-5 of these users have home pc's(Windows) that they'd like to
> use to
> > > connect to the
> > > office and user the file server\ email\ databases.
> > > The windows file server has PPTP capabilities.
> > >
> > > I could either use the Windows PPTP or setup another server
> running
> > > Linux with openvpn. Or something else I haven't thought of....but
> > you
> > > guys suggest.
> > > Whaddya think?
> >
> > Okay, it sounds like you're not all that familiar with VPNs in
> general,
> > based on your comments here and in later messages. I *strongly*
> suggest
> > doing some quick reading on that topic first before getting into
> > specifics. The 'howstuffworks' entry on VPNs is not half-bad and
> the
> > wikipedia page is excellent.
> >
> > Here's the very very short summary: A VPN would allow your 'road
> > warriors' to connect to the home office while they are at home or on
> > the
> > road. The user's remote laptop or desktop would get a special IP
> that
> > is specific to the VPN through which all traffic to work is
> 'tunneled'
> > in an encrypted manner. Done properly, the remote worker would be
> able
> > to access ALL of the services that she could normally access while
> in
> > the office... but in a safe and secure manner over the public
> Internet.
> >
> > Now PPTP has the advantage here of being very easy to setup and if
> you
> > have one of the Windows Servers, then you have half of it already
> nearly
> > setup. You would need to get clients for any Linux users, but
> that's
> > not a problem as I'm fairly certain that there is now "native"
> support
> > in the kernel.
> >
> > HOWEVER, PPTP is considered to be fundamentally broken by some
> respected
> > cryptographers. A quote from Bruce Schneier: "Microsoft PPTP is
> very
> > broken, and there's no real way to fix it without taking the whole
> > thing
> > down and starting over."
> >
> > http://www.schneier.com/pptp-faq.html
> >
> > OpenVPN is a free solution that has so far been proven to be
> rock-solid.
> > It is, however, not as easy to setup as PPTP. In fact, if you want
> to
> > do anything more than a peer-to-peer setup, you will likely have to
> do a
> > considerable bit of reading and some configuration file editing.
> >
> > Mind you, while the reading is verbose, it's not hard to understand
> and
> > it shouldn't take more than a few hours to get everything
> setup. I'm
> > told, too, that some of the GUIs available make it a lot easier
> (haven't
> > used any of them) and some of the specialized distros like
> Smoothwall
> > and IPCop should make it even easier yet.
> >
> > Now this is a Linux group so we'll tend to lean towards using Linux
> > based solution for the "server" side. I'm honor bound to tell you,
> > though, that you don't have to. OpenVPN is fundamentally a
> > peer-to-peer
> > VPN (with some variances) and works just dandy on Windows. So you
> > *could* run it as a service on your Windows Server and it would
> likely
> > chug away just fine. There is even a handy GUI for it.
> >
> > I recommend starting with some reading:
> >
> > http://openvpn.net/howto.html
> > http://openvpn.net/INSTALL-win32.html
> > http://openvpn.se/ <http://openvpn.se/>
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)